Providing security for data in computing systems is important for many reasons, such as ensuring sensitive data is not accessible to unauthorized users. Passwords are commonly used in an attempt to secure computing systems. For example, at power on, a user may be prompted for a password prior to allowing the computing system to complete booting. Users resuming a computing system from a lower powered state, for example S3, may be prompted for a password (for example, a power-on password) prior to the computing system resuming.
With respect to the data content of drives (disks, HDDs), conventionally a password may be set for a drive itself, whereby at power on of a computing system, data of a drive of the computing system is locked, subject to authorization using the password. Thus, access to the drive contents is dependent on authentication. However, with proper equipment, even password locked drives could be removed and the data read without proper authentication. Efforts to make data on drives more secure thus lead to additional schemes, including encrypting the data on the drive so that even though the data on the drive may be accessible if the drive is removed, the data on the drive is not in a useful form (it is encrypted).
A way in which data on a drive may be encrypted is through use of a self-encrypting drive (SED). SEDs are storage devices that include embedded services for encrypting the data content of the drives. The Trusted Computing Group (TCG) specifies a standard, commonly referred to as Opal, for security regarding SEDs. SEDs operate by encrypting data written to the drive, and decrypting encrypted data read from the drive. This is done by the SED and is transparent from the user's perspective. SEDs are locked when powered off, and remain locked on power up until an authentication takes place.
Key management in SEDs is provided in the hard disk controller and authentication on power up of an SED takes place via a software pre-boot authentication environment or with a BIOS password. For example, when a computing system is powered on and requests the master boot record (MBR), the SED returns an MBR shadow, which is pre-boot code for an environment that allows the disk to unlock. The MBR shadow authenticates the user and unlocks the drive, at which point the normal boot process is resumed and the computing system's request for the MBR returns to the actual MBR, the operating system is loaded and the booting process completes. This ensures that in a power off state in which the disk is powered down, the disk protects all data contents on it because the data content, including an operating system (OS), is in an encrypted state and can not be unlocked without proper authentication.